xorist | 7238a977cd928a62fb7979092573daf2f0ae471d58dad1706e684a7612a8e4e6

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
Size

7KB
MD5

d64442e8a7be93d9483ed74af2e9550f
SHA1

5a5961f9a16626698d7d02638b6b3eb1794b96a0
SHA256

7238a977cd928a62fb7979092573daf2f0ae471d58dad1706e684a7612a8e4e6
SHA512

d800407caa400ca1dd875e77d286d76c4663041618cfafde8f4c9f7ab46aa0473aa1158aa5cb6d3aeb11eeda89eedcecc03ea872b9cb93f16b77c99bca062622
SSDEEP

96:lLZhl8wdS+r3yOYW189fTwUVF0CWHyjk8P1LOmjXfihEx7+HpFXWLThxfeGMUA:pzdrr1FG1WDCgmjPZ7+HpFXCxmGMUA

Score

10^/10

xorist discovery ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 4 IoCs

resource	yara_rule
behavioral1/memory/2336-4393-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2336-4394-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2336-4395-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2336-4398-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2212) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Switch.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_arrays.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Break.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_environment_variables.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_hash_tables.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_job_details.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Windows_PowerShell_2.0.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_providers.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_script_blocks.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_requirements.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_profiles.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_CommonParameters.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_eventlogs.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_troubleshooting.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_locations.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_pipelines.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_command_precedence.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pssessions.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Reserved_Words.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Reserved_Words.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Signing.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\ClickDownNormal.gif	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_profiles.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Quoting_Rules.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsMail.bmp	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsOutlookExpress.bmp	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Automatic_Variables.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Assignment_Operators.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Continue.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_modules.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\Failure.gif	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pssession_details.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_operators.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Switch.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced_parameters.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_trap.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced_parameters.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Variables.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Continue.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Session_Configurations.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_While.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_script_blocks.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Automatic_Variables.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_FAQ.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Core_Commands.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_data_sections.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_debuggers.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_preference_variables.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_profiles.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_pssessions.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced_methods.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_objects.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_types.ps1xml.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_logical_operators.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_troubleshooting.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\about_BITS_Cmdlets.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\en-US\erofflps.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Throw.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_advanced_methods.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_scopes.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_jobs.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2336-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2336-4393-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2336-4394-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2336-4395-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2336-4398-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15056_.GIF	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\cpu.html	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-docked.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15059_.GIF	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR33F.GIF	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_bkg.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\logo.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01746_.GIF	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\PREVIEW.GIF	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21518_.GIF	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21323_.GIF	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zip	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143743.GIF	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143752.GIF	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10264_.GIF	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14580_.GIF	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\drag.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\THMBNAIL.PNG	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_SlateBlue.gif	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR50B.GIF	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\flyout.html	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21314_.GIF	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR45F.GIF	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\RSSFeeds.html	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdater.cer	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21343_.GIF	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\background.gif	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21336_.GIF	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\drag.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_execution_policies.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\system_m.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Characters\Windows Exclamation.wav	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Cityscape\Windows Balloon.wav	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_355dd017d9254149\settings.html	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8734fb86705288a7\flyout.html	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Command_Syntax.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Windows Balloon.wav	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..adisc-style-shatter_31bf3856ad364e35_6.1.7600.16385_none_0cd72f8900478c68\1047x576black.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Comparison_Operators.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Special_Characters.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\docked_gray_thunderstorm.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_functions_cmdletbindingattribute.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Afternoon\Windows Information Bar.wav	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\item_hover_floating.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_6.1.7601.17514_none_7a2ff57a626c29fd\Speech Off.wav	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_hash_tables.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_objects.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Windows Logoff Sound.wav	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\30.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Sonata\Windows User Account Control.wav	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\406.htm	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Return.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_scripts.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_679a6ba79b07a3c0\logo.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-14.htm	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Garden.htm	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Windows Battery Critical.wav	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Throw.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\Performance\WinSAT\Clip_1080_5sec_MPEG2_HD_15mbps.mpg	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\PassportMask_PAL.wmv	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\settings_divider_right.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_remote_FAQ.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Windows Balloon.wav	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_logical_operators.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_logical_operators.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_815d27dbb889ba17\icon.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\buttonUp_Off.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500-18.htm	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\Title_Trans_Scene_PAL.wmv	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_black_moon-waxing-gibbous_partly-cloudy.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\rings-dock.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-full_31bf3856ad364e35_6.1.7600.16385_none_ce3a164d3f0fa152\NavigationUp_SelectionSubpicture.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_objects.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_6.1.7601.17514_none_6fb51b358e21d75f\boxed-join.avi	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-push_31bf3856ad364e35_6.1.7600.16385_none_cc073ae540855a07\pushplaysubpicture.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-sports_31bf3856ad364e35_6.1.7600.16385_none_c1c84490c211896e\SportsMainBackground.wmv	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Heritage\Windows Ding.wav	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\img16.jpg	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\settings_divider_right.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\passport_mask_right.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_job_details.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Path_Syntax.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_format.ps1xml.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Signing.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_black_moon-last-quarter.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Styles\PAL\Symphony\Symphony\Symphony.psd	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Language_Keywords.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_functions_advanced.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\square_s.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_execution_policies.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_6.1.7601.17514_none_61acd141e5332baf\wmpnss_bw120.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_providers.help.txt	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-oldage_31bf3856ad364e35_6.1.7600.16385_none_02ee3365ea53e1ad\NavigationRight_SelectionSubpicture.png	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SRTUIYIUMUTPWSH\ = "CRYPTED!"	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SRTUIYIUMUTPWSH\shell	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SRTUIYIUMUTPWSH\shell\open	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SRTUIYIUMUTPWSH	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SRTUIYIUMUTPWSH\DefaultIcon	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SRTUIYIUMUTPWSH\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qeKCtQOxWv9095H.exe,0"	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SRTUIYIUMUTPWSH\shell\open\command	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SRTUIYIUMUTPWSH\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qeKCtQOxWv9095H.exe"	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "SRTUIYIUMUTPWSH"	d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d64442e8a7be93d9483ed74af2e9550f_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
fae29237f2d54426976894b11ef07fca

SHA1
5166dabe22ea696f26bf5eeb500928125ba00f1c

SHA256
7869e80fedc9ab2da80deec3a85400fa494db20c275742efa8f48daa47f73111

SHA512
91dcbe9f26320d28ea5fa33744cb00ad4288b9a3dbde6d06631f593c8449c2841811c23e30645c7c7cf30bc52a5836cba03c47ba1a773768e92a569f81d08236

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
b04549f9c53162457bd127371e7a3338

SHA1
1ed2841e96815f1cb40799c94a0ad10c8a82f613

SHA256
4af001ed42c5f1906494b0c656647dbc662cc4dc9456a0fcfcd0e3e1317562bc

SHA512
13e335ae207f84ed07f8821aca1fd542e1e416c4e5f16d3728747aab2fa02c3841b65f9f77eac920fc3d0fa6eb04701c88fde5f391d3f54deed0c511b7c490fc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
6fff9cd80855bca5f14d611e0e1615ac

SHA1
db29d2db303236a8fe51446429d4198bdc7a9863

SHA256
56f65a59dc1e9090b7fc6f18fe3d089a0935fed13492162f5cf2811f4261b53c

SHA512
13c82fdad838db96b2b069d28d29f6846cf03354b5496109f796c10e0bc24914aa938f819b9ec50fa6dc61b0568f1f279a2821b502bacf750fd8d9be48a72218

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
f5b580a738dbd4b0d69fd8556cc37838

SHA1
aa5bfc080dfc49236d5d4a2e16081b006c2a8899

SHA256
afa02bd3591e8dec3006fc73ae0eb4a32225db28d672af64786ec9dac4d3a420

SHA512
b5c799c816207cce88c98c67e298fd432e43366aadb6fcd2c6bf61fe0017596eb546242d2ccbb514ec3307864bf3fd88ce6930deac059d1215b79dba3e2542f1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
4e6d3418975e65de9498124a3f4880fe

SHA1
00e981a154ac7bb392a98bf5587363ec6015ce21

SHA256
4a1f1ac394394c63e5bf2fc3c7ef7888433dc9561823722bd69a50a1db728262

SHA512
9ad3ecd021921d4c1dc7eb24d1f50740fa5fc2f0f62543de0fd86b0a7e39a2ad72f0d3956b574cf98a24cb88603d3f387189f665e46dd1d30a60ed1f8d6798e0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
59cde175f8877fae0d3532b7418a4d9a

SHA1
09b2487fa1982dc0a32fc972933d250ff7f943d5

SHA256
025fb8820dafd7eba45e2004d0cf1acb5617a57c125c5159f6b9499f88d64c15

SHA512
ed18e45acac6dba1e0e832088aac0269741dbe4409b8c9754e6bb710beca39b3f0f46c54e95887e44e1726c65f5cb8288e610a28b5d8b928313840d98cad9fb5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
91d854a71344752183e2eb95ac2ac2c1

SHA1
168dec05b0e826b2f738d84676f2af5d3c0a05c2

SHA256
13cd8c8334b99f4a4e110aebb258ac1b59c71638654cdd7a57cdd3a9db0d48c4

SHA512
03a94ab08a6bc16d4fd6561473464b18512e1a886b237f9fad1e0d5a5bc863c6ba0bdbeb9e995ae6298fd4c869bcb37aaf74b0f80af677822f2b7436a0f7e410

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
9570703bafa8f543c765869272d5d5ab

SHA1
e93c4c58810e4a5626b14993555e01b8c63c150d

SHA256
6bee7f9f52d5293ec7dd0ea6618f3cd457affb5be6f6a5ddb13bd20cf7eba4ec

SHA512
12016acb04d89cf0dd90d8b40a6e4f13df1f3274f425c0b02f380ed18857d89e3f37a43421233c2ff21bc24ed48b7e56af40d74515ed4b7cc41fc4beeceadcb6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
5b1fa0f9f1d2a991c6f345fada64dd83

SHA1
62e40de582e06ba3bbb09d29f53c5fcbe3058dfa

SHA256
a86ca6356033a76dc0dabee80b4cf530f2373a9ee99c3d42eafeeebbcef8c866

SHA512
f02c31220d55fb5540da8efe94e81ba0eab11ccfa3e81fc2e797b9935954db21cf3d480f40af7900f5fb92ac7574aae829266ddf634c9280ee5839e1c0266fb5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
fbcd068c4b8427d0f8d44ed4887041d8

SHA1
05bc3c064a1f6559a9266c2d4f9f2adda01e7b88

SHA256
011fe8ae4819b5b18bb1558f31f8958c78644e12d8e4ff9cbcda51e2005af888

SHA512
db0186c861f2edc252ee8d0f24ffe727e38f8313823e69d2609b33f847005d3baf98c4b980e5a397db124a7bd0a0d677c4734289f19570175d89ccf540c1d3b2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
60ef0d0ec998fb1fff6882939b9e414e

SHA1
dd25cce3c7c6e0850c5365e69512bfc145a7dbd1

SHA256
76a87a204d68900bf71a1882330fe454feb6fe0e18c88c90f23ec5eeb414a628

SHA512
b422412eb9115b566ce4dbd9fae450584d25544a7252faaa9b7210a8c5ea1545f186a3d35af0f7c184996258badfbf613e217729c82db18b876232120c0a6d57

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
4933eb75ccd894f3ad54cf0c7f67e495

SHA1
48d5250eccaf9b67c40548b1e3623c34e7e82ce3

SHA256
adecb532fc21b5a7378bbe662cab1acf2d6c50f86ccda28180a2757e8a918f7a

SHA512
56565eadaac8f81a691e82d831924805e35e687de59031e6fd50b77ae32b301dc3691d8729c7ccc7bd7a3e7cfc39aee94411a8c2ff90cf95fab38b49166e465f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
7be06b9da8fdfe03f74d478dba16e673

SHA1
81d2c49f46eaa6acf3c595137f1dada9e29cad65

SHA256
995b839c82f14f24520cda23229c7a9278a53fd6245a0e8875dca4fd86320f7e

SHA512
fc1fd71a11d3e23f28b600ed540ba1809413beb77601cc678e3e8d348acc3b7ee7e596bad63970498ddf68eb5b5dd2620271e7125e94dd0de8962672b633f866

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
ee83d0a0c60790cc485ef3a456073263

SHA1
1006da91758556113171b6aed1ef2c1ac135be90

SHA256
c9e440610d1898d82462a949b4a95ef2776efadcb52e76988d62c61071869587

SHA512
47bead3a8bee2a8e1279d0859b0061f9b3641aabf525acab4f6b176d85876529a2eecf64981103a8e389b6ece97c51017c490486db6f415f72dbd4f605792e34

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
fa41fa08cad3acf1b8ae6556b9e9bcce

SHA1
536e758cdfd2fbcabcc65782431cc7414b94f47d

SHA256
46ff3cc3b0c7120c4fa43c4a2a3144863ed9774a8c7cfd4adf5f2fa63c53214c

SHA512
783b037f0360d5ab776acd4dcb240442d063a115935c6abd00abedcf3e49e2c28b7f809cc741a2cf8951716088b37f3f7e72d881ef4f5ea2ba0b2a9538b3e988

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
e0a8d45a92ecb2581e564c01acdba092

SHA1
c15a0c3e6c32b52f076a07b253782cd8b70365af

SHA256
36a38a12aa23bb141a14d4a66162f0fbb714d943fcadb2dcab04b2851e097580

SHA512
521a31c7a6791f10ed3d8c8ceceb5ef5cc7f98ae937bdf1d8a92d81503b9d9a1351515ccb7396cdac79af98b8605589cc53d979b13ae41b881661f165eaf7610

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
6f44c1e5ae325ed5471bdc977359fdb6

SHA1
a75a3e4b7b73e82a3e46a3f3f129337fafc033cb

SHA256
7338075d9876ca84a1b0542192674d0f7f25d9456a32d8b8a699de569d5ba23e

SHA512
4e6ea04d1ad17c82c9f20144fedc1dfdd081851e3558ceae9f970da078f27a97573ab948f08ec2e27a20780319c0e223ab44f63aeea711595155687b7d8d7a0a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
fe27aafb15dea7b27d9990188908aae3

SHA1
e5d57429e8c80d802f8ce2dab338db138f530e5d

SHA256
e8b97da7b0913d0126a024aec031edcb949ed3ed12e436e636cb334fbf3ca31f

SHA512
338d17ce815a184749496376e184481f6da0f0b8e35d8a8e1155bc175b704eeba714ee6719c799446d1cbfe54761e6d88c87fdfdf131defca3ca5ffe1e2d2311

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
1b32dd840fe21fa7ca244b942ab7d944

SHA1
c6d8e16d92cb13bd269b3cf4580730959ebf2021

SHA256
1fa319f6bf7a575e89e0572bf9f15b135e7a33eebed40b0c8f2e98ac1074a42c

SHA512
17275719dfc349610b374d4771f6e8ac20a26afcbd4f225b7f845d3c3c936c77c07bbdbaabe542722855deed5565bfd64552099646908a0da2402d943d0ce58c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
07aaba9adbb0bf380e71ed69730df061

SHA1
c7e8198e6cf51166211592945970fc685ba83205

SHA256
3cb6046f612a3fa9b1c056e301acc1c82b83a51a9a55518ad4ade0027c45fb1b

SHA512
23e35d5ece907192c14eea2f477a0fabd4b5ca687b47d241b2ee4c8db5fdb6af21687ba8c8bd943ed7a3c1e7c17370645df4b5a1a20e7fb55349e7ec788af077

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
c10f50c3dce3c89bd5bacf5801dcb603

SHA1
465d5d5d4daf45ead77c8e31547c1b1cc489e7c1

SHA256
f850a4f27642bf88494d95e9888833b95a0c044236e223c3c1ac0215d486033a

SHA512
2c2cd69785a85d6e603148d2b32c332b3e63ffddca480433222b4f6379da79d7fc7bc7cdba2b253977daa90992ff891967fcc0b655449fa10c1756bd3d803b74

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
ab1ea6e97c1d2c7afa76fbf8cb9df1b1

SHA1
84861ce48bcb8d0100be8c4d4580a061abf3decf

SHA256
72f8644ff238cd5c851897d983cad7752842a198b3ab46cddcfc74adc6bc43de

SHA512
5684795b2860de904012dd52f7a99c0624949a3696f5d1e2fcc26dc9c8e4b15cab919064fad4df9e0ff0a3851b2bad7b48ea4f7ea6b28255a88a7a9d413267dc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
bd8dca2496f4ab49944795665aee6872

SHA1
647fb91d240fa00018c530472e5ff1ba8e07407d

SHA256
019d33386e0df1387760789e4be406264d4d6dc4aa7310b49b2cfca38f7c712f

SHA512
29d3bd2313fde9c6f1f694df3c7acc22a043018a4b673f5ba030e2ad4829dff4c0952b3d457fd6d0540b3cb969874efb0a22eea1eb60a343902d3c6207d5ca2e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
f6fb464fb82aa76e8d5701bf8921a310

SHA1
e8f75ab55ca7088835470233d66ae2aa39cbda66

SHA256
f4eb3f0117e3ccf8c88ed9e8a9520b8bf60080da817d20cb06d579351213028f

SHA512
0975ad79bc58cc2a3cfe7706584df82609918dd515c8541683aad8843ec276ca735b5a63ecdb1fb7f74971b8f58579b1bdb8ddcb190294f6fd761de61312a39d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
8ea3a23ef9bd1b35a48e5f55cca008cc

SHA1
4880eed8fab40b7cc575382d14ac448e87d496e1

SHA256
535b25f2ebe5319b4abf0540e1a287d37e2f712e5915489e62abc77da46cb0e7

SHA512
137b29235cd84e39ef50e4fb43d526436c05bd4e3be6cfeb39677a8c6246978e59215a5a89ad5f9b1d90382386014f8f3b8e9e0c79cf3860d3a7a5c50aae55c8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
526aec80491c1df17c0c80fbfadcee87

SHA1
06599b2aa94f8e0d72ddba414b13077f5537a56c

SHA256
dbf64d0eeb0a8a19ec4738afa5ea3c5a2216d5c562bf9030477b9e46e46f25c8

SHA512
2a110264985ceacfc6748dae9321b4c4393c2e970e7ccf0bd7708de95d16a077a02a24dfb96618b4a134f2391ce49cac0dec0af97200de9d49a57241d8bfc9e0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
26f8a0ec2698cc2f2f4c8fe318480ab0

SHA1
ad54c522ed549d68eb77c6a416a57f02127190f1

SHA256
3039b791aed33206a215be2c04fbc31ca7800d47f8738552ebb071cdade9d573

SHA512
9890ffca9d3202eade384db70d998bfbad336adf3f6eb66427090b8a64ce890f3d98fb8d517f23b080802cb79f651a9b280211bdb000b9ed1b9955e52014564f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
78968d5b93959f3b9355ca23affb1b37

SHA1
8cd783288945f5dd26026ed99b74b550d67f5c6c

SHA256
e6d12f9737c7f5896c68c1a2c59581c2be6113126396dfdc857cdd57df587d1b

SHA512
fb0980b9c83fe03315bb3c88088e92ff6548d362076bcac5c25fa2874e2f1f3d99c2a98c4e1d1f9eaf53e92b80354bdb4181cfabb2dd191500c84554228943c5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
daa82d325f2e9ae9dc0f958bab44cafa

SHA1
8d77f8f6c76ee1bbdada026f1b2e895589039d39

SHA256
014547558f9419a7c5256185708301df34d967d05ba245bd8c1562ef668cbf72

SHA512
ab52605cf9ba34f5019b0717aeafce0725083dbfe0bd2fbc5a34a1c9208dca62eaed82f571178180cdd12d87525048b27ec6df517088f991c17a9e959d90eaed

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
196ad7767d10fdcff64a049d6b8917e4

SHA1
e05f242cc20143954b3f6e7cd3044e5f05051c1c

SHA256
9703cfd9ff511e199b474e95c6926183165bc6e2440a9cec60c33171dbd636a6

SHA512
e5b3d74b0dc2de46cdc4ae681db64c2f6446ef04a3047385148f54bb67c77b58d14d8d982f87ed8fd0e859399b3ee31292f609c76a7ae977f76b19fce77b8990

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
46392285b1c8d0b067ad385022994af6

SHA1
7ab042974540671a9a0efa6777af3ed19daadb7c

SHA256
feff098f3de8e7acd5a8af2f8194eb068259432e7034e6a81c7b25d331ba3c0a

SHA512
f1f95812ec41647892067864d6f9754d556ae08eec8ba5606874354714fb6b7d7fb3225eea8909f596f90717493d9cba0f6fe37ffaff242ac2b6dc412ee4726e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
e89a67318e699593bf9f087ab024ed47

SHA1
fcbe49890bc1257b604238cdd44c9ceba893ce65

SHA256
4cc31ef1b8fce268b8cd9f9e0b6629684fd8c44ecd64a01bd20b1d221da01885

SHA512
ad585d166b784df890df600eeb982605c03f0761814ae90a3db8dc5381dd6ab921d4b3821a92ee5c13c83d0937b7db89afaccba6c25f60cfc0ad4dbaeb9613cd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
ae083521d7cf862e573621f9916cf2d0

SHA1
f5efb1b95bdd71bebc5e401200d7daf73c61cc31

SHA256
459edd621702c3ddfc8bbef42be6bc29d40367d4fa8c3410601e729f507a75f2

SHA512
9b8713d12b548bc3c9aa7fd29930e63a2594b2e267393bf79b22a3ca3f7161cb5c3cc4b4749f20c17c6b9a37978ce5925fbd004860645cfab8312b0f22a63c14

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
c981c75a7d3c8ef9b626c9850448c8f0

SHA1
0bdd795a64c1756a850d3724b40f2467654000b0

SHA256
b78e8559e5b4b896c088a987cb3505e749f485e10e7e23af54679d0d8d38db95

SHA512
640a124a83ecadb7238efeaf9c63f6020bfbc073399d22b143da3239b7ffddeb90c4d5f9eb10590c5b322d6cb33b73cf31b2085546bfa7bf70a322d38b5bd96a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
afc2c7e2d9cacc26121e81a567698d05

SHA1
af9489bbf752d6808a658fb8c33bc49fc8b7443d

SHA256
eef7223ad8393268c3874d8dd82d4209fcb2d9d63d3a841fb4bc65bdce3bd9a9

SHA512
5af0664a7bd8b3577a48b9bae669da792fbb1639c6a71a352613b2d81ec4c4613a7411d11f7929d25aa3ad64a29ecce33dd9528127478c2563773e1b23edbc2d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
3309e79ff09a00a74410ef125b7debe2

SHA1
98cf2bb7dccc716cf0137f1b4bdd1857d7054bbb

SHA256
7e57dde5410746d0dcf338630b92ac55b48dc20d843250bfff9bb8d22832920c

SHA512
29f3989550a072ab631ca83445558803b567fb28ae7e0b881cf21514a1e265ba914f3154d26b1b922f4684ffc910dae204802dd9adba168bf31555ecce7c9901

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
f5afcc651c240a278a4b5da4ee781158

SHA1
a7c58e11f22e0152a8a8844bbebfd1b24ddedaf8

SHA256
7f24719a532d253b20279c1e0e7d47153108cd5344a550c3a97cbfb40765372e

SHA512
8bdd9bf14c67345ae50fd88a5c907c99e3c6370798af23574c1e0135cdd08aea5866b2036b028439d1a493c2a6a1228a21d105c0a462dedcfc76b705024dbe18

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
4a44e196da65a05c219568f53befa217

SHA1
6e0df6e7e7dc2a2398ac955ca0bbab0b7907bed3

SHA256
4dd559178190cea8873581eea0688f4141b0273b3faf414a23edc51ec756d8e0

SHA512
405842604fc3e2473972df9eb2eefa58573af2e2c817df720841499beb3e8784a6819a64138326b7fa8629b2ff3ec1f30c9bcf412078ab17a44b286b26b9f88e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
2d9acd6944e20f2a132fd97148598072

SHA1
c1a70f8ec56e0e17b9067d7e3fe1a3bbd6ac18f0

SHA256
a9afa81ef9576b4eb2ea1edafd6049a01755bb04a5b162a77ca34f92283de8f0

SHA512
965dc11da904139b3b0c112b0757fccf5770930b55893dfbbf9f2e334ce6ba10b6ec609526aad540b948fd7f37712484b14145a98e427fb9a1f7a2dc96c7377e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
8f3abc47d5dfaf4c795e6c5c74e76fbc

SHA1
0b5984ff07c9bbaa3fc1d94052332eb85697f4db

SHA256
07ae0ec0e4ed6329593ec8d54dd5c114bda288b38e77a5ff78940d42e60c07b1

SHA512
a23c86b7f89abd924276b673813a1a34b9296d3f7275a90a785841bb8626fd19b3b70077a87936025d2322c0aa399822fe54d04350a240cababd1e37bf4011ce

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
2d74059f1538b6f756dcc6721975b3b2

SHA1
4f98d5d459f4260ff0609ead2808648c32c4fd46

SHA256
a9f40c5a68329d8151bf89841ea76af749aa83e276de6c3ae2d399440583cba8

SHA512
76168ef37920214ab35d86c106fe5c9633414710a57a5b9d72f24c10900e7e955fd6b4c0efbe51f51a2824e2723b1e741ed72d42e96315267683f21b236c0f65

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
156f9b4239f74042f61be295d1cf2fe3

SHA1
6bac277ebf04331238fa20b82dadaa3dbb236a11

SHA256
a0db355632dff7eaafa260787d47163b0db2bd87943fb5ed4d35f0a71c328eb2

SHA512
a9442679fbab444bb271a8af21d0cccf2d60762a045b06bfd4e890bb1285e1177af83ccb8d8600b080842867158dba31a99cabb84acca907e85cf984679591c1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
f075c911e422ece5a463eb1cda5c0da0

SHA1
af84b00c9e7dcccf37bf93edb546bb8eb9f19020

SHA256
25a5bd764dd32ffd93c6595f0327a680914ca42f848125a01bae166dc6802c7c

SHA512
9382e025b12490626f0772ce9134b69975ed739519de22bbceabb816413c07ca44ca229b74db4c6c55f9655d0e2b6ca0a538123c28d791d299afe60a4d825054

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
8dadf2d07b255df4ada5795dfa7f967e

SHA1
f222462d4814d11630ce5173419fc779fc72e286

SHA256
62fa0b68095f79f2f9c22a95e915ac6ebe7e15928e3d7efc32f00e6466c4b88a

SHA512
b648e0dc415b4705816b4b3d094c3037640485d31efa5fe40cc48db81a3960b45b61bb470c8fa57942659aa115c9eb376cb1e46a37b42e0dbebea6aadd32d229

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
f8d5742cf8ba2342bcb9da4fe0265b8f

SHA1
005a21948eae4357c61f52ad16c921b5ffe958b3

SHA256
3b319d302cf44e3cde43d5b236323ca32f7c353d6e5a6ca4ac187b5a4b8d53f9

SHA512
c926215204e94455b78492b15693172ca8eb40c2f73f5046a7497ce202be690818d7d97008d82d645052c9534ef9be77294e7a44315f3fcecbfccc314f90f5aa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
330048ad29c8f52762395ece3cf0b671

SHA1
6eae69f561e0ba0650e6c4ee194d2884427488af

SHA256
224881b950a53f676f56208a47a203115576f9d254c651b3023eaac15707b0d6

SHA512
345a2dd1ed6e4104985b5a6e21252224e36602c817fa875c6254be1f8f16ff97b6927ad671bbee72edaf2505aa5f504205b882b8645c0246850e3bac46621fda

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
b4b1b61ffa9e56fdb20a5abb91f9ee9a

SHA1
5b70179e1a5a7c395c92f7c5b6a9e133df4da612

SHA256
c07afe84ccb69a82268aeb58b0aae7e0d27778c80ef1bd7fc6fb78de16956f68

SHA512
0c80347f34f86c76a78f62671c82314466c6f7ba1e7f8085120479e979a2d2986d1ba489f21e77d91a0b3df2c0d381a34a4aa3267ad50586fa84c05314e8fff9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
3704b174a30d2d13192643521636b175

SHA1
1821dd80a59d360b40c89dcb8a219ec00ed76e76

SHA256
8ae77cc75f6bac67688c4de7aad402ee7fa2b87597be57234f118767a44c40ca

SHA512
0bd1ab14101691f9aa317d565ece9d7cc95391e32c7e333706e7f2ac5904eff6741a489e45bee2b272c434c5d16ad55b9d5a57f92586fcc06bd7b5379f8d67dd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
422e997f14436a62f3930dbdbd538bab

SHA1
e8f78b0967a0dda7386bdc13c343f0b6050cc47d

SHA256
1461a9a846e081c8cc01e07419f3ec43c676ac8a5afb743c0c712895dc577f4e

SHA512
1c1712c8e5d783455394fa4fe775d5da1c62eebecbb4cb9e20a4f0ece532ccd734084c52ea5c01720a549f76fe5b6ac12d50d580bcde838478e08f479d5408c3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
bdb067fa46652ed48c00eabf26b6ee9b

SHA1
2479835e89cfa1c7bfb6c63a20c25ed8866ebe5a

SHA256
199e19ea5d84ed8fc9e1bde5c9dc88e25e8883287ff1976d66da6fbe99e4b4d8

SHA512
3d1c01916d415ca6483ae761ade21c7e10293d9f0aa7ac889965d37452d1d5b71e87566408df51a624ec293c5ba6cd04a8592b30ea8e8a66a126f1b0802aabcb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
b435eaf1cfa9eaaa80338f5518e6968a

SHA1
cffc577502c659011a11dea850fbadb27d8a3426

SHA256
b13a95117e4698f6c4dc5eee0b47f5736734d4199cce0419d7077666c4e97087

SHA512
511916ba4410f0a5322554bcbc9fb47a59d7ea0de8973d2d0d370bea14f22533b75a8f9dfa05cc00fda284e94a09349b3f53750f73af6b34b161a806cf1d5d78

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
aeb90935ac86e280217b62560c8e641d

SHA1
f6e7c5d5b556cb56f352fafb7d33661a167f4427

SHA256
ad56f4556d08fecd127869d6ff397ec9919a64ed574ec7f2a78665a5ceed315d

SHA512
6e4940c35b42061883c59262231ef3ab9c0b4ff02a7fbf4e792a0bc8f205d187239cb3f1414f27a1aa651df6b68158b1cd67dfb0936acb6e5659184d3ca0218e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
2178071c1659d2c5bd7e9b3667d4bc2f

SHA1
a1a31fe204cd54a67e6b15c8f02e17bee9fae346

SHA256
a8c43375495ce750d4a264a18e8560ae78774b4fbc4e5cbfff8756d80829cacf

SHA512
bfcd18ac746aa216f29c852347f61efe43fc8b7e14597ffa55aa94d180310923256ea56cc9c6878b091208bc727feb51f0300e6d3f2729a25ae5456dc70a6102

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
ea3ab8c86d7967254ad8066b3832651e

SHA1
1f69db22563104f5c16dcd96c9f580960bbdd223

SHA256
db6d07d70fc4104c5409cfad862e54c0440c73a6e1b280eeff0d84c9b1fd0f36

SHA512
15dccd85c0d7b5b5b12297a2d9dde2396e6c29396e5bd43ba7826c496620b9e59918253591e28390c1591ffc43f2b3d7db0c68a1ef100c28b757496b0fe8b919

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
2ba99a99960154e550ae8dfcf905fcde

SHA1
d022ea06195dc4aedd806a348d269f3c4f227851

SHA256
6a6ef6e3e9b430f193bffbd62367d713a76355edab3a325b47c835684411280d

SHA512
3e385c2f69ddd1eb583761d58ad095b2fa5bb6ff2aeacad88647e6413333a9e37692501f33e3f5e2b060bd516b19a0d7d45d23d92d2447b182f7f748c1472824

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
2e23376acd25f12268b3014977f6cc68

SHA1
f020a8b95e63d4b161926da85e330f9883ad037b

SHA256
ad8f49f30fe7c342ca0cc019df56915690a3f22186c13adf04645aceac3b16c5

SHA512
d1feb7772531ebe513a7e70a1307a4d89d2497afb0beb95e8832422b7329640bcd277d8fe5928f0b3e96440a18a9c680dd64c76ad181d7846e9991051aa3cb15

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
302a25754a16510ab08e11fde77fb83d

SHA1
5b5d6022329e50edca0ed76d7e7830a8214a0f40

SHA256
d02028bfce378ddc89bee37173f698d4eb81256b63eebe13f704792e0b82274b

SHA512
50368cadbfa9cf8b7fb998e6f411873be997e914f66032e4994a0552648b4d8662caf3c312ef99c1120525a7fc5bc91896e82599672c0609720747d4623bc1ec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
cc4fa183c83f4ae5d5f1b162833f70c7

SHA1
d20c572b80478cf77e6aaf3d4289883d3f9f8445

SHA256
74d534e283594ee7f59a500998a7d5084a121b9ff57ef162cf81e8de63806907

SHA512
77d8596475e763103b01262e361005641d2dfc173f950ec1240f0c9accf127b0a523a519f25d6c0c9461e72e7559cc120bbbc6ee23295b5b955c18858784dfef

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
aac6dc631b94e509ad1265e0e218aef2

SHA1
38f7f71d5aa0ba644d33ceafc2b26db63f2515cd

SHA256
bb10d003200f2dde6ae1cf915362f0696a3606c5c4f2d075de1ca06f97a916c9

SHA512
b6e6ad88ffbf70f0042e00ba034cdd3793e90cddd2ce4347fdd67eba0e5d978fda06398483927ebb8219b9ebabb2c7fd97f6f05c217f31a6cfa497ba2df3a6dd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
5d24a3132a6d4ea2e5d157b7bf599ddf

SHA1
a580cd1ed4530737222d3b24130334d7f8c0273f

SHA256
7e1d374e6caa4b4f162edb28d76d3f1a3c46bfec9cc003514d7a80dd1b457f46

SHA512
8a34687d0e1ee58ebef6c5d1ee02bbb0665863dcfd04c6e905a3a4d121bd1e5945a90c87fed38fcca7716cd31a1ae5178276dee887d4fbec6ab85dd689a1113f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
7a83aab372defe0991cc8f6c783ff207

SHA1
012d60b62a0902e1100814b1b5af9bf77b2d7213

SHA256
5ffb9a03b5d8c0d2e08eefd5cac469c3ea08954b1efc87ff52afcbd64b493754

SHA512
1df542534785576fa9e1fd217e2673e40f734cb367bd11a3745935dd81c6621fe8c599f986f850d57733370af75f3edb8bbf67b96e6753a4120097b3b8035c21

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
9194d645acac63f4d5d4e8c3e2a4212f

SHA1
6521133f07dfdaa515e1cb995377c03c2447c08a

SHA256
34d61905c3466739ab251ca974dfb43b549a07dc8ae371710a589d5c9a44effc

SHA512
c7e6a6be5dd193234d8c64a4f38b5b54e5bceafbbc2bfe454756b73ef0d8a7526c522415d52dec8248047431822d60f8edf4631f6da6abcbddb54596c4c28deb

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
162e7e79c200990033dec46c7f2e3480

SHA1
88a1ba550b5918fbb56d6d041ea271499e9df6fb

SHA256
988456335190e781492afdd08429f5e72dccda2de08b90a8c0eeb9a2f5d97e66

SHA512
5f4db98afdd0f1eb6fb773730bd3e3f8d884feb4c1f66913b919519055c24b06b55dc8b10652678268280d8900863841d9847240965c28f00e4bc4dd2c1955bc

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
939e1633bdcf318d017aa5d97b09b320

SHA1
2ca73cb7a4c86964dbc7c12fc69eb91785127ff3

SHA256
39fa39cc8f1d3c4f17eff1f6566609b0c2e6ca64d0bbff76106a1b0c18ea4a46

SHA512
e26631e6a869019ec6b4b61c597630f8adb3a7009ff9aaddec748bd51965910523c6a32846209a98a9f9de9559b08b7163ae0821a0c4562c64b84aaf3440c11d

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
cfa03c001ece8abdc34ee3405a3695f8

SHA1
ae01f89ebcdad8cef5ecd0ff16dcf08c60f1d895

SHA256
1944806c8348764de103d99e904aeeb4c7fb08a6bb7ab72eaeb1270cddf96914

SHA512
b5486de744d097c97778c5f692f985292dc203ff1bab571688744ef8c36a81ead7c4dd8068b742219da307a541d76be425e5b785305878e876120a5117d7673a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
ef47d9a8f92d3fc6d42b022cb11ff63c

SHA1
4d2ee6271a1f564becc3b50861192b9bc2d710a0

SHA256
57dea52e26cedcd53763497201d385ebdb9eba88d36cd54270e878141a79570a

SHA512
6305f37501d1f5748a17f29ab2953ed3e2cb2c4aface362f787f02ed67eaaa62a710ff71506b926e611574c998c446a665cccc833f53208fce896fadb19b221c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
68db958b9a2ba1528f02f1b92af973a2

SHA1
f718b45b45a8b0bcc5f0a053721522a74443c3e2

SHA256
027533ef3663fc5f6c247a04fc98d1df7d8f0bdca1972c1967c9897028bb57d6

SHA512
f66dda6d5af085311152847434da98f5c213425dbb12aae4bce68bff0662a285d4909ab0b13f9fe0ffc05b6bbd86d86af8f862456d6c72487177df57eda9727b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
db03cb7a2f3679e11c9915c1f28b60d3

SHA1
ca11a5eb8bb4fc8062c2237ccf4214759aea587e

SHA256
b52f0d09c6ee08c6f77940fc7c49a5bad551039e8f03858a0021da098a104bc6

SHA512
cef5db909162fdc99bd3ccec498ce54f4769d61c648fdcb6fd44c3f46761549e1588eaa4973f830aae5060dee914687d77515249ad2512babdf9fef58d6e2180

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
efff91ca01701e4f25cbfeb1a2667cee

SHA1
7a9caa9334c9ce080a784ca15c74cbcb6fe2d2f2

SHA256
e0bbe01dfdec5809492b1f43a085667f8a71c8ed55af1077f01cd520ec7da227

SHA512
a121bc55fd6de21c40e4138787967d26eb120c075c536be924e57dbacbbc2d719fb1ac51cf9a7052d748262aa31d1a9194368988d772599c547768f0cdad1514

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
ab40dcab51b2955480c2359277733de6

SHA1
6d137c44f1ca24eef07196241a56571a3441d229

SHA256
51d045b6706f69945b66690986a745ff8eafe824911a4fdaa7e2f0e177cdc279

SHA512
804cc62a3cc0c3291087f1a4f8394ae1ba2c5e83d25dcc81f0200328cf203a89fc38f36b4df02b0c1909b4e3aa13643ec0d63703365aa0770e343ba9471764ef

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
fec828a807f4564f143ff76ff9fd8483

SHA1
7a8bc21c407556215d7a1615f22b1d361b98bd49

SHA256
de680d50f0a29a5541273cc9f333dddf59bc62370443ce89b0ead394f606dad3

SHA512
247260c1db8ffacd02472c2b92c198bea141899aae5b7484f1a376e9f8f20a49ff049564ac1bd89b6c94935a7f18f0ffc65d67e872d27e311ccbdb336a46c7f0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

Filesize
61B

MD5
5758f30cdf8028468ad333b219c01191

SHA1
53b0adaa8ee98d84e17384fc4796b785d4d030a7

SHA256
c777af9291e223b55cc91c8ceeb296765ecaff33d5b7b82933bc272b71bb851f

SHA512
72382b80ef56524cdfa0c4185f453aafc496480f399cf7eecf9b51444225486dee076ed03b9757834485e5ca3cb2ed29ffacf3a435e68b8d5391d73b69bb17ce

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
8157f7a7e6171f19f751fffedf37293d

SHA1
3c86dfa7a8b8e4eb90942aa193d94d59df299879

SHA256
d220e46cc014861720bd786c1a120988a79aaee83eb619deefc0b9296333f8d1

SHA512
c9d06fbe004c712a28a97402265df6d90ef1cbcd5d7e3f44be4aa15932382ec57ed733d1ccde4bfdcba7e345b2a2eff9c47fd9b8c2fa23221a528653ee5b5f0f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
b93933a186bace5a563ab13f28eed71e

SHA1
fd357936ddf71fa05689b51680130e8822b5491d

SHA256
7787f759658a421945059c389b32e8413927221d6355aad04d9c4e6ea76383e4

SHA512
2d48bf6d622201fad0cd3800cde08ce9a85ba1321b458493e64205eb2fd8de3051a415f0615e40081219e2ccb9c8572e79a87b27c4964d9300b41640c822a4e2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
ac3758b250653dbae200614dcc20054e

SHA1
423fbc008577bcc944451a828fbc188eabac7b48

SHA256
1e386fff514d86a42de994f5ce0cef721f2957b90ce6ea90501f6db62804c794

SHA512
e546a28af7417363fe426470dbd1078671d39b75379619a3ad0b0bf849aab37c797d95fcbfc815d22f487f904cd708712c11c78a3616f00265f89be02152104f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
54af78b9059c9f28072e97e18fd1bed2

SHA1
4cec7767b7c64bf093fb171d84cfeb4c9288d6f1

SHA256
f8a8cee58f82b06132c5fe3d2f3f0be9281d164698f466520d70b3dbc44137fd

SHA512
d8354446f3310613c3dee955858c482e648bb76222211d1f46a01067bedfa3fcf14db2e43d3b46e614030eeaf782ee6a8f9a5825abb0f008439ef1592b78f880

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
48f1d6594216b62f99b03a5fae9040db

SHA1
5f45581aa01919b55028ab19e82476b15fa66dc0

SHA256
41ad552daa57f9ad077442ed67d9b4e2a1d8bb43f62d1e079bbdf390ab348caf

SHA512
9a417e030378b1df0db2a1b02c52d0b12a5167ddcf959e437fb09dddc70a0dadb20ee18cc5905cddbd188da5e2ec8b60693f8ce7f6bca0057327dec6a915c9cf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
8116826c10a0723e5234a660b33dccd3

SHA1
defd21efc7b0ec9f5ff635a03a3bace1e5729277

SHA256
d8b286b3ee984a9d8e55f8501e4d0a72d7ed8bbff6bf93dcc197a971d6106eee

SHA512
9c9b15ef51004bab9d86d467a9b49bb8147c54de559af11d409fec9d42f78be2456dbe8312ac5057868609a5faed13eef5efab3b6c02dfa2fe874f346485adb0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
05c3b5222a31ca7823298c839c176497

SHA1
107aaee28137f4b5933bed34c41b80d7f14d8d99

SHA256
8d68c1a562b375fe773889d534adce635f45c0d323b8833e9c6a132ef0ad54a5

SHA512
ac852c390d226a849fdf0e90c038188c4798198edb8c0515a2bb37eb3e91563541a0e75e062300509a849eb4cccb804230880a1b26a9fc99131c1a836af7d374

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
e788c6a63e1234886f973a984c345ee0

SHA1
ab96c1c8e80b63b58d2f253452dd5eb3df9a05dd

SHA256
c23017feda98bb6393bed24cbad02ce61b7f4b2ac4326d348090cdae6c990e5b

SHA512
9e8c1b03193892149e08ce07f935e673f12514961bf298e0fdc3133ac3323ba6f6b6075c028199c25418aaf2f3fbe18c7edee9fc4069aaf9e53dcb2cb29c715b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
65B

MD5
6b5dab2eaf8c484de58283691f665b77

SHA1
971c9a8140c2c14ec436d84c5cffeccc79314a46

SHA256
8866463fffe6d23f3e2dd9998949b26b90a38f04a13cf8d551daf6c8579079d5

SHA512
aa54cd40db1834c70d0b41ff6f7a9730540447d4bb6aece7db94cf9f9e3e9d3201de80cdf63ac68bcd538cc792ee6f35e5c7791050e594f43ba424eb7d26f96a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
65B

MD5
a6459da35efe3a6d45898e8c205ab015

SHA1
3cf9b43b412a75202ed827351e2151ce972d5abd

SHA256
2a8e8a056a9d7d42b19ef25e0a7ea173c9b43b0ae446fb92e61350f1afe1fe8d

SHA512
25e269286b0f32e376bec2468252e3dec85c1bc33099919165bdf1b5fa25dd9e9a6c0c23a562f8f6c5c1adf44ee663db33690c38023b4ff8fc96f7691b041fa1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
8fc4b733b6f15dda24336d67ac01665c

SHA1
7c845edd1a454f7300684711918f519f8d6d54a8

SHA256
5c92bf70c385ce5269137ec3005d4621813f5ee7d8e2f1234612227831167001

SHA512
f1acd926645df51a19bc68c8722972a011783702191bd19bf0e1b9f9b8c503bbe08d513c09d2877e2aea9454cd69d8ef858aaba753079a5c894974130208a2df

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

Filesize
65B

MD5
4adfcd10a54f66b99e0be581cb6e7ee0

SHA1
20b5e3b445920d113c722e0b1abe22a9ebd349d2

SHA256
8e2508dbaae5044e7a309c3005962158b59533b26892f1338e0c5fdeb09cee16

SHA512
0fcbfd5444ef47e3b68584a2da83d87faddea0ab0c976786f32c84f940f6b412c4fdb91ea1909edfeca7bf4a078c0a40e5c7d325a775e05fea9ba260e271716d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

Filesize
65B

MD5
e0f5968bb5921d0b18a146f8da5e6cbd

SHA1
1ad771c6f801e8f094659c3485f21a1f41286641

SHA256
19f61530cc1ad1104001c85a8c28c79d04c9c98efbba8eaa92a3508a4150b134

SHA512
274a76945f1be8a342fb2c9088e29fdbc7371d958ded4dece79a66eb6d6a649bd369714c4b2ae05928e35684502f829b28470491bf6ba1fe8a4a5d8d93ecbe74

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
0e5b3695062aedb22410a37517b5d320

SHA1
74db0ce159b35a3e43cc422488eb1ea7a663f19b

SHA256
37dd44d673663ad74c5ee96e4aae7bcae6233ea02369c49a6a767680b8724fd4

SHA512
e7824ceb03883f198a1fb24a2712eb904629d8961b7bc52897f62241f7e7fb868c81aaee0ca84fafc9442eafcc964745f7691e81c079969e9a8b9cfb64159afc

Download Submit
memory/2336-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2336-4393-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2336-4394-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2336-4395-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2336-4398-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download